Skip to content
  • There are no suggestions because the search field is empty.

Glossary of Commonly Used Terms

This glossary of terms lists the general terms related to the Cyturus application stack, and related fields, as commonly used throughout the application or in user documentation.

Last Updated: July 23, 2024

Approach Progression

The Domain-specific objectives and practices describe the progression of the approach to cybersecurity for each Domain in the model. Approach refers to the completeness, thoroughness, or level of development of an activity in a Domain. As an organization progresses from one MIL to the next, it will have more complete or more advanced implementations of the core activities in the Domain. At MIL1, while only the initial set of practices for a Domain is expected, an organization is not precluded from performing additional practices at higher MILs.

Cyber Maturity Index (CMI)

The Cyber Maturity Index is a framework agnostic scoring methodology that overlays any regulatory or compliance model. The CMI has proven very useful to organizations in providing visual articulation of status to leadership as well as used to measure and compare trending for remediation effort analysis.

Domain

Domains contain a structured set of cybersecurity practices. Each set of practices represents the activities an organization can perform to establish and mature capability within the Domain.

Group  

Each of the tactical Practices within the various framework models is added to a specified Group.  These Groups contain relevant Practices from all Domains.  Each Group represents associated activities and provides a cross-Domain view of the organizational activities.  This enables a distinction between Risk Management Strategy Practices and Risk Management Activity Practices.  Likewise, the Policy Group indicates each of the governance gaps within all the Domains within one specified Group.  This specific Grouping of Practices establishes patterns and assists in focusing remediation activities between seemingly unrelated Domains and Practices.   

Managed Finding

Enabling a practice to be added as a Managed Finding allows the user to configure a project to address the deficiency in the practice and/or parameters. The project information, tasking, and RACI will then be tied directly to the practice.

Maturity Management

This module within the CRT allows the user to view the project information (tasking assignments, RACI, etc.) for a given engagement or set of engagements. 

Maturity Model              

A maturity model is a set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline. Model content typically exemplifies best practices and may incorporate standards or other codes of practice within the discipline.  

Maturity Indicator Levels            

The CMI defines three Maturity Indicator Levels (MIL), MIL1 through MIL3, which apply independently to each Domain to measure progression of more advanced Practices.

Four aspects of the MILs are important for understanding and applying the CMI:

  1. The maturity indicator levels apply independently to each Domain. As a result, organizations may be operating at different MIL ratings for different Domains. For example, an organization could be operating at MIL1 in one Domain, MIL2 in another Domain, and MIL3 in a third Domain.
  2. The MILs are cumulative within each Domain; to earn a MIL in a given Domain, an organization must perform all of the practices in that level and its predecessor level(s). For example, an organization must perform all of the Domain practices in MIL1 and MIL2 to achieve MIL2 in the Domain. Similarly, the organization would have to perform all practices in MIL1, MIL2, and MIL3 to achieve MIL3.
  3. Establishing a target MIL for each Domain is an effective strategy for using the framework to guide cybersecurity program improvement. Cyturus will help your organization become familiar with the Practices in the framework and will assist in determining target MILs based on the results. Recommended gap correction activities and improvement efforts will then be focused on achieving those target levels.
  4. Practice performance and MIL achievement need to align with business objectives and the organization’s overall cybersecurity strategy. Striving to achieve the highest MIL in all Domains may not be optimal for all organizations. Each organization must evaluate the costs associated with achieving a specific MIL against the potential benefits and risk reduction.

Objective

The Practices within each Domain are organized into Objectives, which represent achievements which support the maturity progression of the Domain as well as organizing the Practices into logical groupings. Think of these as the business goal for the requirement.

Practices

Practices are sometimes referred to as "Controls" in other frameworks. Within the CRT platform, Practices can be any action performed with the intent to improve the resilience of the organization. Practices can be Controls, Processes, Procedures, Policies, Guidelines, Standards, or activities that are required in order to mature the organization security posture.

Parameters

Parameters are the parts or additional objectives of each Practice that, when all are completed and evidence is available, allow the Practice to be Fully Implemented.

SIMM

SIMM refers to the 4 pillars which are the basic foundational pillars that Domains and associated Objectives require in order to build a sustainable Cybersecurity Program.

Strategy              Design, Define, and Approve

Implement          Plan, Execute, and Confirm

Monitor               Effective, Efficient, and Consistent

Manage               Review, Refine, and Improve (documentation, funding, stakeholders, resources)

The Manage pillar includes business activities for the Domain as well as the maturity process for the technical controls and processes that were implemented to meet the Control objectives.